Re: [NSE script] Data Access Messaging Protocol used by Ingres Data Access server (iigcd)

[Daniel Miller <bonsaiviking () gmail com>]

Quentin,

Thanks for your patience. I am looking into this now, having installed
Ingres and downloaded the source to see if I can help refine the results.
Here are some observations so far:

1. It's best to use ASCII values when you can (e.g. "JCTL" instead of
"\x4a\x43\x54\x4c") in both the probe and match lines. This makes things
clearer.

2. We shouldn't capture (enclose in parentheses) anything in the match line
that we don't intend to keep for display. For your match, this pretty much
means dropping the parentheses, though you'll still need one non-capturing
group (?:example|alternation).

3. This seems to work for the II7 listener (port 21071), but fails for the
II listener (port 21064). Here are the relevant log lines:

localhost         ::[60441        IIGCC, 17111     , 0000000000000002]: Thu
Jul 24 19:45:06 2014 E_GC2812_TL_INVALID_CONNCTN    TL internal error:
Received unknown connection id 0000544C from partner.
localhost         ::[60441        IIGCC, 17111     , 0000000000000002]: Thu
Jul 24 19:45:06 2014 E_GC2806_TL_FSM_INP    TL internal error: Invalid
input event in TL FSM

Note that the connection id ends in 544C, which is the "TL" portion of
"JCTL"

4. I'm looking into whether it's better to send a JCTL or DMTL header,
since it depends on how the service is configured, and some may be
rejected. If this ends up needing multiple probes in order to check each of
the transport layers and message layer types, then maybe we should move it
back into an NSE script, leaving the most-likely one as a service-probe.

That's all I have for now, but I will continue to look at this. Please feel
free to correct any strange ideas I have, since I've only just started
looking at this service.

Dan


On Wed, Jul 9, 2014 at 10:16 AM, qhardyfr () gmail com <qhardyfr () gmail com>
wrote:

> Hello everyone,
>
> I think the following service probe for Ingres is good.
>
> Is the Ingres service probe in the current nmap version?
>
> If no, when this service probe will be pushed in the current nmap version?
>
> Thank you in advance,
>
> --
> Quentin HARDY
>
>
> ---------- Forwarded message ----------
> From: qhardyfr () gmail com <qhardyfr () gmail com>
> Date: 2014-06-16 11:03 GMT+02:00
> Subject: Fwd: [NSE script] Data Access Messaging Protocol used by Ingres
> Data Access server (iigcd)
> To: Daniel Miller <bonsaiviking () gmail com>
>
>
> Hello Daniel,
>
> What do you think of the Ingres service-probes ?
>
> Is this script OK?
>
> Thank you in advance,
>
> --
> Quentin HARDY
>
> ---------- Forwarded message ----------
> From: qhardyfr () gmail com <qhardyfr () gmail com>
> Date: 2014-06-08 23:02 GMT+02:00
> Subject: Re: [NSE script] Data Access Messaging Protocol used by Ingres
> Data Access server (iigcd)
> To: Daniel Miller <bonsaiviking () gmail com>
>
>
> Hello Daniel,
>
> I have written the nmap-services line and the nmap-service-probes script:
>
> [+] In the nmap-services file, replace
> """unknown 21071/udp       0.000654"""
> by
> """ingres-dam      21071/tcp       0.000654 #Data Access Messaging
> Protocol used by Ingres Data Access Server (iigcd)"""
>
> [+] In the nmap-service-probes file, add this source code in order to
> detect the DAM protocol:
> """
> ##############################NEXT PROBE##############################
> #Detect the Data Access Messaging Protocol (DAM) used by Ingres Data
> Access Server (iigcd)
> #"2300" --length of the following array +2
> #"4a43544c" --Transport packet ID
> #"4352" --Connection Request (ascii ‘CR’)
> #"010102" --DAM-TL Protocol Level (lvl 2)
> #"02010f" --Packet Size
> #"0604444d4d4c" --Message Layer Protocol ID ('DMML')
> #"030d" --Length of the following Session mask
> #"010107" -- DAM-ML protocol level (lvl 7)
> #"0308daafb0479210e2e5" --Session mask
>
> Probe TCP dam-connection
> q|\x23\x00\x4a\x43\x54\x4c\x43\x52\x01\x01\x02\x02\x01\x0f\x06\x04\x44\x4d\x4d\x4c\x03\x0d\x01\x01\x07\x03\x08\xda\xaf\xb0\x47\x92\x10\xe2\xe5|
> ports 21071, 21064
>
>
> # (..) --packet length
> # "4a43544c4343" and "444d544c4343" --Only 2 possibility for the Transport
> Packet ID
> # "0604444d4d4c" --Currently, only a single message layer protocol is
> defined (444d4d4c)
> match dam-connection
> m/^(..)(\x4a\x43\x54\x4c\x43\x43|\x44\x4d\x54\x4c\x43\x43)(.*)\x06\x04\x44\x4d\x4d\x4c/s
> p/ingres-dam/
> """
>
> What do you think about that ?
>
> I will write a new Ingres nse script soon as possible in order to get the
> string connection (ex: II7) from the port.
> There is no more information to pickup from the connection because we need
> to be connected in order to get the Ingres version.
>
> Thank you for you help,
>
> --
> Quentin HARDY
_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/